From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Eduard Zingerman <eddyz87@gmail.com>,
Emil Tsalapatis <emil@etsalapatis.com>,
kkd@meta.com, kernel-team@meta.com
Subject: [PATCH bpf-next v2 17/17] bpf: Gate verifier diagnostics on log level
Date: Fri, 19 Jun 2026 22:59:30 +0200 [thread overview]
Message-ID: <20260619205934.1312876-18-memxor@gmail.com> (raw)
In-Reply-To: <20260619205934.1312876-1-memxor@gmail.com>
Verifier diagnostics collect active-path history and render richer reports for
selected verifier failures. That work is useful only when the caller requests
normal verifier log output.
Do not enable diagnostic collection or report rendering for BPF_LOG_STATS-only
loads. Stats-only loads still need the verifier's summary counters, but not
the extra path history used by diagnostic reports.
Keep enablement in the verifier environment and requested log mode so async
callback verification uses the same diagnostic policy as the main verifier
pass.
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
kernel/bpf/diagnostics.c | 6 ++++++
kernel/bpf/verifier.c | 24 +++++++++++++++---------
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/kernel/bpf/diagnostics.c b/kernel/bpf/diagnostics.c
index d27bd314d194..f10654dc6af8 100644
--- a/kernel/bpf/diagnostics.c
+++ b/kernel/bpf/diagnostics.c
@@ -1162,6 +1162,9 @@ void bpf_diag_report_limit(struct bpf_verifier_env *env, u32 insn_idx,
char *reason, *text;
va_list args;
+ if (!bpf_diag_enabled(env))
+ return;
+
bpf_diag_report_header(env, BPF_DIAG_CATEGORY_VERIFIER_LIMIT,
"limit exceeded");
bpf_diag_report_section(env, "Reason");
@@ -2422,6 +2425,9 @@ void bpf_diag_print_history(struct bpf_verifier_env *env,
int start_idx;
u32 i;
+ if (!bpf_diag_enabled(env))
+ return;
+
bpf_diag_report_section(env, "Causal path");
if (!env->diag) {
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 5c60fe033271..cdba76eb35bc 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5359,7 +5359,9 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx,
* of caller's stack as shown on the example above.
*/
if (idx && subprog[idx].has_tail_call && depth >= 256) {
- char *chain = bpf_diag_alloc_subprog_call_chain(env, dinfo, idx);
+ char *chain = bpf_diag_enabled(env) ?
+ bpf_diag_alloc_subprog_call_chain(env, dinfo, idx) :
+ NULL;
verbose(env,
"tail_calls are not allowed when call stack of previous frames is %d bytes. Too large\n",
@@ -5391,11 +5393,12 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx,
if (subprog_depth > env->max_stack_depth)
env->max_stack_depth = subprog_depth;
if (subprog_depth > MAX_BPF_STACK) {
- char *chain;
+ char *chain = NULL;
verbose(env, "stack size of subprog %d is %d. Too large\n",
idx, subprog_depth);
- chain = bpf_diag_alloc_subprog_call_chain(env, dinfo, idx);
+ if (bpf_diag_enabled(env))
+ chain = bpf_diag_alloc_subprog_call_chain(env, dinfo, idx);
bpf_diag_report_limit(env, subprog[idx].start,
"subprogram stack depth",
"Reduce stack usage in this subprogram, or move large data out of the BPF stack.",
@@ -5417,9 +5420,10 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx,
verbose(env, "combined stack size of %d calls is %d. Too large\n",
total, depth);
{
- char *chain;
+ char *chain = NULL;
- chain = bpf_diag_alloc_subprog_call_chain(env, dinfo, idx);
+ if (bpf_diag_enabled(env))
+ chain = bpf_diag_alloc_subprog_call_chain(env, dinfo, idx);
bpf_diag_report_limit(env, subprog[idx].start,
"combined call stack depth",
"Reduce stack usage or call depth along this call chain.",
@@ -5497,11 +5501,12 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx,
frame = bpf_subprog_is_global(env, idx) ? 0 : frame + 1;
if (frame >= MAX_CALL_FRAMES) {
- char *chain;
+ char *chain = NULL;
verbose(env, "the call stack of %d frames is too deep !\n",
frame);
- chain = bpf_diag_alloc_subprog_call_chain(env, dinfo, idx);
+ if (bpf_diag_enabled(env))
+ chain = bpf_diag_alloc_subprog_call_chain(env, dinfo, idx);
bpf_diag_report_limit(env, call_insn,
"bpf2bpf call frames",
"Reduce the number of nested bpf2bpf calls on this path.",
@@ -9760,11 +9765,12 @@ static int setup_func_entry(struct bpf_verifier_env *env, int subprog, int calls
int err;
if (state->curframe + 1 >= MAX_CALL_FRAMES) {
- char *chain;
+ char *chain = NULL;
verbose(env, "the call stack of %d frames is too deep\n",
state->curframe + 2);
- chain = bpf_diag_alloc_state_call_chain(env, state, subprog);
+ if (bpf_diag_enabled(env))
+ chain = bpf_diag_alloc_state_call_chain(env, state, subprog);
bpf_diag_report_limit(env, callsite, "bpf2bpf call frames",
"Reduce the number of nested bpf2bpf calls on this path.",
"Call chain %s would create %d verifier call frames, exceeding the %d frame limit",
--
2.53.0
prev parent reply other threads:[~2026-06-19 20:59 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 20:59 [PATCH bpf-next v2 00/17] Redesign Verification Errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 01/17] bpf: Add verifier diagnostics report helpers Kumar Kartikeya Dwivedi
2026-06-19 21:09 ` sashiko-bot
2026-06-19 20:59 ` [PATCH bpf-next v2 02/17] bpf: Add source and instruction diagnostic context Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 03/17] bpf: Add verifier diagnostic event log Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 04/17] bpf: Prune verifier diagnostics on backtracking Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 05/17] bpf: Track verifier register diagnostic events Kumar Kartikeya Dwivedi
2026-06-19 21:18 ` sashiko-bot
2026-06-19 23:35 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 06/17] bpf: Track verifier reference " Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 07/17] bpf: Track verifier context " Kumar Kartikeya Dwivedi
2026-06-19 21:13 ` sashiko-bot
2026-06-19 21:19 ` Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 08/17] bpf: Report Register Type Safety errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 09/17] bpf: Report Memory Safety bounds errors Kumar Kartikeya Dwivedi
2026-06-19 21:46 ` bot+bpf-ci
2026-06-19 23:40 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 10/17] bpf: Report Resource Lifetime reference leaks Kumar Kartikeya Dwivedi
2026-06-19 21:12 ` sashiko-bot
2026-06-19 23:42 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 11/17] bpf: Report Call Type Safety argument errors Kumar Kartikeya Dwivedi
2026-06-19 21:47 ` bot+bpf-ci
2026-06-19 20:59 ` [PATCH bpf-next v2 12/17] bpf: Report Execution Context Safety errors Kumar Kartikeya Dwivedi
2026-06-19 21:19 ` sashiko-bot
2026-06-19 23:44 ` Alexei Starovoitov
2026-06-19 20:59 ` [PATCH bpf-next v2 13/17] bpf: Report Program Structure CFG errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 14/17] bpf: Report Policy helper and kfunc errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 15/17] bpf: Report Verifier Limit errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` [PATCH bpf-next v2 16/17] bpf: Report Verifier Internal errors Kumar Kartikeya Dwivedi
2026-06-19 20:59 ` Kumar Kartikeya Dwivedi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619205934.1312876-18-memxor@gmail.com \
--to=memxor@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=kernel-team@meta.com \
--cc=kkd@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.